b'    March 21, 2003\n\n\n\n\nInformation System Security\nControls Over the Use and Protection\nof Social Security Numbers Within\nDoD\n(D-2003-066)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Inspector General, Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nAAFES                 Army and Air Force Exchange Service\nDMDC                  Defense Manpower Data Center\nDSS                   Defense Security Service\nFAR                   Federal Acquisition Regulation\nGAO                   General Accounting Office\nSSN                   Social Security Number\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2003-066                                                   March 21, 2003\n   (Project No. D2002AB-0070)\n\n          Controls Over the Use and Protection of Social Security\n                          Numbers Within DoD\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? Program administrators, developers,\nmanagers, and users of systems of records, and all DoD personnel interested in how DoD\nuses and protects Social Security Numbers.\n\nBackground. This report is in response to a request by the General Accounting Office\nfor member Inspectors General of the President\xe2\x80\x99s Council on Integrity and Efficiency to\nconduct a review on the use of Social Security Numbers within their agencies and to\nverify the information reported on a General Accounting Office questionnaire. The four\nDoD agencies that responded to the General Accounting Office questionnaire were the\nDefense Manpower Data Center, the Army and Air Force Exchange Service, the Defense\nSecurity Service, and the Tricare Management Activity.\n\nWhile this report addresses the use of Social Security Numbers within DoD and verifies\ninformation reported on a General Accounting Office questionnaire, other reviews by the\nOffice of the Inspector General, Department of Defense, focused on the adequacy of\ncontrols over contracting including use of the Privacy Act clauses in contracts and the\ndisposal of personally identifiable information.\n\nIn 1967, DoD adopted the Social Security Number instead of the Military Service\nNumber for identifying Armed Forces personnel. The Social Security Number has\nbecome the most widely used identifier in both public and private sectors.\n\nThe Privacy Act of 1974 (Public Law 93-579) states the right to privacy is a personal and\nfundamental right protected by the Constitution of the United States. The Privacy Act\nstates that the privacy of an individual is directly affected by the collection, maintenance,\nuse, and dissemination of personal information by Federal agencies.\n\nSocial Security Numbers are used for employee files, medical records, health insurance\naccounts, credit and banking accounts, university identification cards, and many other\npurposes, and we believe that there is a higher risk of misuse and potential for identity\ntheft resulting in monetary losses to individuals and businesses.\n\nResults. We reviewed three of the four DoD agencies that responded to the General\nAccounting Office questionnaire. Those three agencies made disclosures of personally\nidentifiable information for legal purposes; however, their Privacy Programs needed\nimprovements in policy administration, oversight, periodic reviews, physical security,\nand training.\n\x0cAfter we notified officials at the DoD agencies of our findings, they concurred and took\nor agreed to take the necessary remedial actions to mitigate the risk of improper\ndisclosure of Social Security Numbers. Those actions will help the agencies improve\nappropriate controls over contractors\xe2\x80\x99 and other entities\xe2\x80\x99 access to and use of the Social\nSecurity Numbers maintained in their databases.\n\nManagement Comments. We provided a draft of this report to those DoD agencies on\nNovember 12, 2002. Written responses to this report were obtained before we issued the\ndraft report. Those comments are included in the Management Comments section.\n\nWhile we made no recommendations because the three DoD organizations agreed to take\nappropriate corrective actions, we ask that the Defense Manpower Data Center, the Army\nand Air Force Exchange Service, and the Defense Security Service provide planned or\ncompleted dates for agreed-upon actions. The specific agreed-upon corrective actions are\nincluded on page 10 of the report.\n\n\n\n\n                                             ii\n\x0cTable of Contents\nExecutive Summary                                            i\n\nBackground                                                   1\n\nObjectives                                                   3\n\nFinding\n     Use and Protection of Social Security Numbers in DoD    4\n\nAppendixes\n     A. Scope and Methodology\n          Prior Coverage                                    11\n     B. Report Distribution                                 12\n\nManagement Comments\n     Defense Manpower Data Center Comments                  14\n     Army and Air Force Exchange Service Comments           16\n     Defense Security Service Comments                      17\n\x0cBackground\n    Social Security Numbers. The Social Security Number (SSN) was created in\n    1936 to track workers\xe2\x80\x99 earnings for calculating Social Security retirement\n    benefits. When SSNs were first introduced, the Federal Government assured the\n    public that use of the numbers would be limited to Social Security programs.\n    However, the SSN has become the most widely used identifier in the public and\n    private sectors. Because SSNs are used for employee files, medical records,\n    health insurance accounts, credit and banking accounts, university identification\n    cards, and many other purposes, there is potential for identity theft resulting in\n    monetary losses to individuals and businesses. In 1967, DoD adopted the SSN\n    instead of the Military Service Number for identifying Armed Forces personnel.\n\n    Privacy Act of 1974. The Privacy Act of 1974 (Public Law 93-579) states the\n    right to privacy is a personal and fundamental right protected by the Constitution\n    of the United States. The Privacy Act states that the privacy of an individual is\n    directly affected by the collection, maintenance, use, and dissemination of\n    personal information by Federal agencies. The increasing use of computers and\n    sophisticated information technology has increased the threat to individual\n    privacy that can occur when collecting, maintaining, using, and disseminating\n    personal information. The purpose of the Privacy Act is to provide certain\n    safeguards for an individual against the invasion of privacy. One of the purposes\n    of the Privacy Act is to permit individuals to determine which records pertaining\n    to them are collected, maintained, or disseminated to other agencies. DoD Policy\n    prohibits disclosure of personally identifiable records maintained by Government\n    agencies without a person\xe2\x80\x99s consent, and grants individuals the right to access and\n    amend those records if they are not accurate, relevant, current, or complete.\n\n    DoD Directive 5400.11,\xe2\x80\x9cDoD Privacy Program, \xe2\x80\x9d December 13, 1999. The\n    Directive states that personal information such as SSNs that identifies individuals\n    shall be collected, maintained, used, and disclosed only when it is relevant and\n    necessary to accomplish a lawful DoD purpose. When collected, the agency must\n    inform the individual why the information is being collected, the authority for\n    collection, whether the disclosure is mandatory or voluntary, and the\n    consequences of not providing that information. The Directive permits\n    individuals to determine to the extent authorized by the Privacy Act, which\n    records pertaining to them are contained in a system of records maintained by a\n    DoD Component. It permits an individual to gain access to such records that\n    pertain to them, obtain a copy of the records, correct inaccurate information on a\n    showing that the records are not accurate, relevant, current, and complete, and\n    appeal a denial of access or a request for amendment to those records. The\n    Directive defines a record as any collection of information about an individual\n    that identifies, relates to, or is unique to an individual, such as a SSN. A group of\n    records is called a system of records. Before a system of records is established\n    and personally identifying information is obtained, a notice of the system of\n    records must first be published in the Federal Register. Publication in the register\n    constitutes official public notice. The Directive also states that once the\n    information is collected, appropriate safeguards will be established to ensure the\n    security of the records. Components must issue procedures, conduct periodic\n    reviews, and train personnel on their Privacy Program.\n\n\n                                          1\n\x0cFederal Acquisition Regulation. The Federal Acquisition Regulation (FAR)\nPart 24, \xe2\x80\x9c Protection of Privacy and Freedom of Information,\xe2\x80\x9d prescribes policies\nand procedures that apply the requirements of the Privacy Act of 1974 to\nGovernment contracts. The FAR requires contracting officers to insert Privacy\nAct clauses 52.224-1 and 52.224-2 in contracts. When the design, development,\nor operation of a system of records on individuals is required to accomplish an\nagency function, the clauses require contractors to comply with the Privacy Act of\n1974.\n\nGeneral Accounting Office Review. The House Ways and Means Committee,\nSubcommittee on Social Security and the Senate Judiciary Committee,\nSubcommittee on Technology, Terrorism, and Government Information requested\nthe General Accounting Office (GAO) to review the Government\xe2\x80\x99s use of SSNs.\nThe review began in March 2001 and examined the Federal, State, and local\ngovernments\xe2\x80\x99 use of SSNs to administer programs, provide services to the public,\nprotect individuals\xe2\x80\x99 privacy, and prevent identity theft. The review focused on\n18 Federal agencies including DoD. GAO sent a questionnaire to the agencies on\ntheir use and protection of SSNs. The GAO review formed the basis for the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s request for member Inspectors\nGeneral to review the use of SSNs in their agencies, verify the information\nprovided to GAO and report the findings to the Social Security Administration,\nOffice of the Inspector General.\n\nDoD Organizations Reviewed. The GAO sent the questionnaire to four DoD\nagencies. We reviewed information for the Defense Manpower Data Center\n(DMDC), the Army and Air Force Exchange Service (AAFES), and the Defense\nSecurity Service (DSS).\n\n        DMDC. The DMDC reports to the Under Secretary of Defense for\nPersonnel and Readiness. DMDC is the central repository of all DoD human\nresource information. Its mission is to collect, provide, and use the central\nrepository of information for the benefit of DoD decision makers, DoD\norganizations, and other Government agencies. In 2001, DMDC received and\narchived more than 5,000 separate databases containing more than 1.25 billion\nindividual records.\n\n        AAFES. The AAFES is a military organization that provides quality\nretail merchandise and services at low prices to members of the Armed Forces,\nmilitary retirees, and their families. The AAFES returns its earnings to the Army\nand Air Force to improve the quality of life for military families. Although\nAAFES is a Federal organization, it is a nonappropiated fund instrumentality that\ndoes not rely on appropriated tax dollars for major support. The AAFES operates\nalmost exclusively with funds generated from its business income.\n\n        DSS. The DSS is a security organization providing personnel\ninvestigations, industrial security products and services, and comprehensive\nsecurity training to DoD and other Government agencies. DSS investigative\nagents conduct personnel security investigations of military personnel, DoD\ncivilians, Defense contractors, and other authorized personnel. DSS also provides\noversight and assistance to Defense contractors.\n\n\n\n                                    2\n\x0cObjectives\n     The objective was to determine whether DoD agencies maintain appropriate\n     controls over the access, disclosure, and use of SSN information by third parties.\n     Specifically, we determined whether the selected DoD agencies made disclosures\n     of SSNs to third parties for legal purposes, whether selected DoD agencies had\n     appropriate controls over the contractors\xe2\x80\x99 and other entities\xe2\x80\x99 access and use of\n     SSNs, and whether the selected agencies had adequate controls over access to\n     individuals\xe2\x80\x99 SSNs maintained in their databases. In addition, we verified the\n     information on the questionnaires completed for the GAO. See Appendix A for a\n     discussion of the scope and methodology and prior audit coverage.\n\n\n\n\n                                          3\n\x0c            Use and Protection of Social Security\n            Numbers in DoD\n            Although the three DoD agencies made disclosures of personally\n            identifiable information for legal purposes to third parties, improvements\n            in the Privacy Program were needed in contract administration, policy,\n            periodic reviews, physical security, and training. Additional safeguards\n            were required because:\n\n                \xe2\x80\xa2   procedures were incomplete,\n\n                \xe2\x80\xa2   oversight and administration of contracts was inadequate,\n\n                \xe2\x80\xa2   periodic reviews of the Privacy Program were not conducted,\n\n                \xe2\x80\xa2   physical security measures for information systems that store\n                    social security numbers were poor, and;\n\n                \xe2\x80\xa2   privacy act training was not provided.\n\n            As a result, we believe the three DoD agencies had increased risk for SSN\n            misuse and identity theft that could result in potential monetary loss to\n            individuals and businesses. After the agencies were notified of the issues,\n            they initiated corrective actions.\n\nDisclosures of SSNs\n     The three DoD agencies we reviewed made disclosures of personally identifiable\n     information for legal purposes. DoD Directive 5400.11 states that personal\n     information that identifies individuals shall be collected, maintained, used, and\n     disclosed only when it is necessary to accomplish a lawful DoD purpose. The\n     agency must inform the individual why the information is being collected and\n     publish a notice for all systems of records.\n\n     DMDC. The DMDC is the central repository of all DoD human resource\n     information. We reviewed two systems that were the focus of the GAO review,\n     including the Military Entrance Processing Command File and the High School\n     Students Armed Services Vocational Aptitude Battery File. DMDC did not\n     collect the data for both systems, but was the custodian of the information\n     obtained. DMDC provided the information in those files to other DoD decision\n     makers, DoD organizations, and other Government agencies. DMDC has\n     memorandums of understanding with entities to whom they release information.\n     All entities are required to release the information only to authorized officials. In\n     addition, DMDC has 10 systems of records. We reviewed the largest system\n     which provides a single central facility within DoD to assess manpower trends,\n     support personnel and readiness functions, perform statistical analyses, assist in\n     detecting fraud and abuse of pay and benefits and register former and current\n\n\n\n                                           4\n\x0c    DoD civilian and military personnel for the purpose of determining medical and\n    other benefits. The notice for this system of records was published in the Federal\n    Register.\n\n    AAFES. Employees and customers of AAFES are adequately informed about the\n    collection, disclosure, and use of their SSNs. Officials stated AAFES provides\n    SSNs to Government agencies and AAFES contractors for employee and\n    customer benefits and services including health coverage, retirement benefits,\n    payroll taxes, check cashing privileges, and exchange credit cards. AAFES has\n    27 official systems of records used to accomplish AAFES functions. We\n    reviewed 23 of these systems. Notices for the systems of records were published\n    in the Federal Register.\n\n    DSS. DSS discloses information identifying individuals\xe2\x80\x99 SSNs to non-\n    Government and Government entities. When personal information is collected,\n    individuals are informed of the intended use and disclosure. DSS discloses\n    personal information to law enforcement offices, such as local and state police\n    departments and credit bureaus. DSS maintains 15 official systems of records.\n    We reviewed three of those systems because they were the focus of the DSS\n    primary mission of security investigations. Those records were recorded in\n    notices and published in the Federal Register. We also reviewed the process used\n    by DSS to protect privacy data during the conduct of personnel security\n    investigations. DSS has an accreditation process with its customers to ensure that\n    personally identifiable information provided to others is properly identified,\n    obtained, used, and disposed.\n\nProcedures on the Privacy Program\n    Of the three agencies reviewed, two did not have complete procedures to address\n    the Privacy Program. DoD Directive 5400.11 requires that procedures be issued\n    addressing the Privacy Program.\n\n    DMDC. DMDC published the \xe2\x80\x9cPersonnel Data Release and Acquisition Policy,\xe2\x80\x9d\n    April 25, 2001, which addresses the release of Privacy Act information and\n    provides legal accountability for all data released from DMDC that is individually\n    identifiable. However, the policy did not define a process to release data to other\n    DoD organizations, Government organizations, and others. Officials agreed to\n    revise the policy to include the process to be followed when releasing personally\n    identifiable data. The revised policy would ensure consistent practices on\n    requests to obtain personally identifiable information such as SSNs and the\n    release of the data. Because officials agreed to take action, we did not make a\n    recommendation.\n\n    AAFES. The AAFES established procedures to implement the DoD Privacy\n    Program requirements. The AAFES Exchange Operating Procedures 11-1\n    \xe2\x80\x9cAAFES Privacy Program,\xe2\x80\x9d dated July 16, 2001, provides adequate policies,\n    procedures, a process, and guidance for its Privacy Program.\n\n    DSS. DSS established procedures to implement the DoD Privacy Program\n    requirements. DSS Regulation 01-13-R \xe2\x80\x9cPrivacy Program,\xe2\x80\x9d dated\n\n\n                                         5\n\x0c    January 2, 2001, and DSS Regulation 20-12 \xe2\x80\x9c Investigation \xe2\x80\x93 Protection and\n    Release of Investigative Information,\xe2\x80\x9d dated June 30, 2000, provide rules, policies\n    and procedures for the disclosure of personal records in the custody of DSS.\n    However, DSS did not have an overarching standard operating procedure that\n    detailed its personnel security investigations process from beginning to end. DSS\n    officials acknowledge that the standard operating procedures manual was last\n    printed in 1993. The manual describes the DSS Personnel Investigation Center\n    mission, operational policies, and procedures. Officials stated that although a new\n    process had been implemented and procedures for opening, monitoring, and\n    closing cases had changed, the basic structure and mission had not. In addition,\n    DSS provided a handbook and a manual to employees that provide direction,\n    guidance, and standards for investigations and Privacy Act protection and\n    disclosure. While all of those measures help, officials agreed that an updated\n    standard operating procedure was needed to increase the consistency of how data\n    is protected and processed. Officials are obtaining contractual support for the\n    development and publication of up-to-date operating procedures. The planned\n    policy revision will ensure that information requested by other organizations will\n    be reviewed for approval, documented, and submitted in accordance with the\n    DoD Directive and the Privacy Act. Accordingly, we did not make a\n    recommendation.\n\nContract Administration and Oversight\n    Two of the three agencies reviewed did not ensure that all contracts included the\n    appropriate FAR clauses requiring contractors to adhere to the requirements of the\n    Privacy Act. In addition, officials did not monitor contractors to ensure that they\n    protected system of records information. The FAR requires contracting officers\n    to insert Privacy Act clauses 52.224-1 and 52.224-2 in contracts that pertain to the\n    collection of personally identifiable information.\n\n    DMDC. DMDC employs contractors to help it meet its mission to collect,\n    provide, and use the central repository to provide information to DoD decision\n    makers, DoD organizations, and other Government agencies. According to a\n    DMDC official, DMDC uses a General Services Administration supply-and-\n    service contract that includes the Privacy Act clauses. The contract provides for\n    services at a fixed price. DMDC places an order against the General Services\n    Administration contract for the services. While we did not review the contract,\n    DMDC officials stated that the contract contained the appropriate Privacy Act\n    clauses. Officials at the General Services Administration stated that they do not\n    verify compliance with the Privacy Act clause because it is the responsibility of\n    the organization who places an order against the General Services Administration\n    contract. We believe that risk of compromise of privacy data is lower because\n    contractor personnel are located at DMDC, which is a secured site. In addition,\n    DMDC personnel monitor and restrict the access of contractor personnel to only\n    appropriate data required to perform their duties.\n\n    AAFES. Officials stated AAFES provides SSNs to contractors to process health\n    care benefits, retirement benefits, disability benefits, employment applications,\n    background investigations, unemployment claims, employment verifications,\n    employee assistance services, credit bureau reporting, and bad check and debt\n\n\n                                         6\n\x0c    collections. AAFES is a nonappropriated fund instrumentality and therefore is\n    not required to follow the FAR. However, provisions of the Privacy Act should\n    still be applied to a nonappropriated fund instrumentality. Of the 21 contracts at\n    AAFES we reviewed, 16 included requirements for data protection. However,\n    only 5 of the 16 included the Privacy Act clauses. There was no uniformity in\n    language or requirements relating to the protection of personal information. In\n    addition, AAFES officials stated they did not monitor contractor performance\n    relating to the Privacy Act. AAFES officials agreed to use uniform Privacy Act\n    statements or confidentiality provisions that the information will be used only for\n    the purpose provided. Accordingly, we did not make a recommendation.\n\n    DSS. DSS officials stated DSS has contracts with 12 firms. The firms provide\n    background investigations and credit histories on DoD personnel, and maintain a\n    computer operations center. Only 1 of the 12 contracts we reviewed contained the\n    required Privacy Act FAR clauses. In addition, DSS did not adequately review\n    and monitor how contractors used and disposed of data containing SSNs. For\n    example, one contractor was improperly disposing of personnel background\n    sheets that contained individuals\xe2\x80\x99 SSNs and a credit bureau was using DSS data to\n    update its database files. While the contract with the credit bureau did not\n    prohibit an update to its files, an official from the DoD Privacy Office stated that\n    the contract should have contained the confidentiality clause and this omission\n    resulted in a violation of the Privacy Act. General Counsel at DSS informed us\n    that the credit bureau had reviewed its database and eliminated information it\n    obtained as a result of the contract with DSS. He stated that it was unnecessary\n    for the credit bureau to again review their database because the update had\n    occurred a long time ago and there have been no new complaints. Other reviews\n    by the Office of the Inspector General, Department of Defense, focused on the\n    adequacy of controls over contracting including use of the Privacy Act clauses in\n    contracts and the disposal of personally identifiable information at the Defense\n    Security Service.\n\n    We provided our findings to DSS officials who agreed to take necessary action to\n    remedy the deficiencies. They agreed to modify each contract to include the\n    appropriate FAR clauses, conduct unannounced visits at contractor sites, and\n    conduct routine data protection reviews. They also agreed to assign a contracting\n    officer representative to contact each credit bureau to ensure that changes to\n    individual records were not made from information that DSS supplied.\n    Accordingly, we did not make a recommendation.\n\nPrivacy Act Program Review\n    All three DoD agencies reviewed were not conducting periodic reviews of the\n    Privacy Program. DoD Directive 5400.11 requires periodic reviews of the\n    Privacy Program by the agency\xe2\x80\x99s Inspector General or other officials who have\n    specialized knowledge of the DoD Privacy Program.\n\n    DMDC. Officials at DMDC stated that periodic reviews of the Privacy Program\n    were not conducted because it lacked personnel to perform this duty. However,\n    as a result of our visit, DMDC officials agreed to start performing reviews.\n    Accordingly, we did not make a recommendation.\n\n\n                                         7\n\x0c     AAFES. Officials at AAFES stated that they performed periodic reviews of the\n     Privacy Program until 1999. However, when Congress eliminated the reporting\n     requirement on the number of access and amended requests processed, AAFES\n     officials stated they ceased performing the reviews. As a result of our visit,\n     AAFES officials agreed to periodically perform internal audits addressing Privacy\n     Act oversight and verification of SSN use and protection. Accordingly, we did\n     not make a recommendation.\n\n     DSS. Officials at DSS stated that they performed the last review of the Privacy\n     Program in 1994. By 1997, the Director and senior staff of DSS stopped the\n     Inspector General inspection process and changed the Inspector General office to\n     Strategic Planning. In 1999, the Inspector General office was reestablished and\n     the inspection process resumed. The Office of the Inspector General for the\n     Defense Security Service scheduled an inspection of the Office of Freedom of\n     Information and Privacy from September 9 through September 12, 2002. The\n     Privacy Act Office inspection was completed on September 20, 2002. While\n     there was a long delay in the review of the program, the reestablishment of the\n     Inspector General office and the September inspection are positive steps. As a\n     result, we did not make a recommendation.\n\nPhysical Security of Information Systems\n     One of the three DoD agencies reviewed did not secure information systems that\n     contained SSNs. DoD Directive 5400.11 requires that privacy information be\n     secured.\n\n     DMDC. The DMDC mainframe computer is located off-site. At certain times\n     during the week, the mainframe is in an area that is not staffed and has minimal\n     physical security. Although the system of records that contains SSNs could not\n     be accessed or manipulated without the use of special equipment, the area that\n     housed the mainframe stored components that contained personally identifiable\n     information. Officials at DMDC agreed to consult a security professional to\n     perform a risk assessment of the vulnerability of the mainframe and storage\n     media. Therefore, we did not make a recommendation.\n\n     AAFES. The AAFES has safeguards to ensure the protection of sensitive\n     information including Privacy Act data. The buildings have guards, and badges\n     and escorts are required. The data center where the mainframes are located is\n     monitored 24 hours a day, 7 days a week, with access controlled by badges and\n     personnel identification numbers. Officials stated that computer safeguards\n     include user identification, password protection, firewalls, and intrusion detection\n     systems. Officials stated that third-party access to the AAFES intranet is limited,\n     because most data is retrieved from the systems of records into data sets and then\n     provided securely to outside entities.\n\n     DSS. DSS has safeguards to ensure the protection of systems that maintain\n     sensitive information, including SSNs. Access at all DSS locations is restricted to\n     authorized personnel with proper identification. The buildings have guards\n     posted at the entryways, who check badges. Escorts are provided, when needed.\n     Additionally, the Personnel Investigation Center, where personnel security\n\n\n                                          8\n\x0c    investigations data are maintained, is located on a secure military base. There are\n    cipher locks in the area where the computer terminals are located. All users of\n    DSS information systems must obtain security clearances. Officials stated that\n    computer safeguards include user identification, password protection, encrypted\n    data transmission, and transportation of hard copies through approved sources. In\n    addition, the computer system records user access.\n\nPrivacy Act Training\n    One of the three DoD agencies reviewed did not provide employees with the\n    required Privacy Act training. DoD Directive 5400.11 requires Components to\n    hold training sessions on their Privacy Programs.\n\n    DMDC. Privacy Act training is required for new employees and other staff on a\n    yearly basis. Employee training lasts for 1 hour and covers the Privacy Act and\n    Freedom of Information Act. New employee training addresses the mission of the\n    organization, job descriptions, organization charts, the Privacy Act, and the\n    Freedom of Information Act.\n\n    AAFES. AAFES employees who work with the Treasury Offset Program are\n    required to read the Treasury Offset Program pamphlet and view a video on\n    protection of taxpayer information annually. This is an Internal Revenue Service\n    requirement and AAFES must annually provide a Safeguard Activity Report on\n    how AAFES protects taxpayer data. However, AAFES officials stated they had\n    no employee training on the DoD Privacy Program, Privacy Act requirements,\n    and the protection and use of SSNs. Officials at AAFES stated that they\n    overlooked the requirement; however, they would produce a video for distribution\n    to AAFES facilities worldwide concerning the Privacy Act and the use and\n    protection of SSNs. Accordingly, we did not make a recommendation.\n\n    DSS. DSS established a training curriculum to inform employees how to\n    safeguard information covering the Freedom of Information Act and the Privacy\n    Act. The DSS provides an annual security refresher briefing. The DSS Security\n    Division provides the training that outlines the objectives of the Privacy Act, and\n    the agencies\xe2\x80\x99 responsibilities for maintaining, requesting, and disclosing Privacy\n    Act information. In addition, DSS requires its contractors who conduct personnel\n    security investigations to conduct and receive periodic training in handling and\n    processing confidential and Privacy Act data. According to DSS, future DSS\n    contracts will stress Privacy Act training and data protection.\n\nSummary\n    The Privacy Act of 1974 states the right to privacy is a personal and fundamental\n    right protected by the Constitution of the United States. The Privacy Act provides\n    that the privacy of an individual is directly affected by the collection,\n    maintenance, use, and dissemination of personal information by Federal\n    Agencies. The increasing use of computers has increased the potential for harm\n    to individual privacy that can occur from any collection, maintenance, use, or\n    dissemination of personal information. Agencies need to make informed\n\n\n                                         9\n\x0c    disclosures for legal purposes when collecting and releasing personally\n    identifiable information such as SSNs. The procedures in the Privacy Program\n    define the rules of the agency and the process to carry out the mission as it relates\n    to the Privacy Program. The contract administration and oversight function\n    allows agencies to oversee the functions of its contractors, who must follow the\n    same general rules as the agency. The physical security of information protects\n    the systems from misuse, and training keeps employees informed on the\n    requirements of DoD Directives and the Privacy Act. All improvements will\n    reduce the risk of unauthorized loss of control over personally identifiable data\n    entrusted to DoD and its contractors.\n\nPlanned Actions by Management\n    DMDC. The following actions were agreed to by DMDC:\n\n               1. Revise Privacy Policy to include the process to be followed when\n                  releasing personally identifiable data,\n\n               2. Start performing reviews of the Privacy Program, and\n\n               3. Consult a security professional to perform a risk assessment of\n                  mainframe and storage media vulnerability.\n\n    AAFES. The following actions were agreed to by AAFES:\n\n               1. Use uniform Privacy Act statements or confidentiality provisions\n                  and include those provisions in all contracts,\n\n               2. Conduct periodic reviews of the Privacy Program, and\n\n               3. Produce a video on the Privacy Act and use and protection of SSNs\n                  and distribute the video to its facilities worldwide.\n\n    DSS. The following actions were agreed to by DSS:\n\n               1. Update standard operating procedures for protection and release of\n                  privacy data,\n\n               2. Modify contracts to include appropriate FAR clauses,\n\n               3. Conduct unannounced visits to contractor sites, and\n\n               4. Assign a representative to ensure that credit bureaus did not make\n                  changes to individual credit records from data provided by DSS for\n                  other purposes.\n\n\n\n\n                                         10\n\x0cAppendix A. Scope and Methodology\n      We visited the Defense Manpower Data Center, the Army and Air Force\n      Exchange Service, and the Defense Security Service. We reviewed 38 systems of\n      records, 33 contracts, and 10 facilities. We reviewed the agencies\xe2\x80\x99 controls over\n      the use, disclosure, and access to SSN information by third parties, interviewed\n      agency officials responsible for controlling SSN disclosure and access, verified\n      and updated key pieces of information provided on GAO questionnaires, and\n      provided examples of additional steps that the agencies can take to ensure that it\n      has adequate controls over the use and protection of SSNs. We also reviewed\n      four contractors and their controls over the use, disclosure, and access to SSN\n      information. We did not review the controls over contracting at the Defense\n      Manpower Data Center, the Army and Air Force Exchange Service, and the\n      Defense Security Service. The controls over contracting at Defense Security\n      Service is being reviewed under a separate audit by the Inspector General,\n      Department of Defense. We also did not test the software application used to\n      monitor and control access to the data files that contained personally identifiable\n      information.\n\n      We performed this audit from January 2002 through October 2002 in accordance\n      with generally accepted government auditing standards. The management control\n      program was not an announced objective and was not reviewed due to time\n      constraints.\n\n      Use of Computer-Processed Data. We did not use computer-processed data to\n      perform this audit.\n\n      General Accounting Office High-Risk Area. The General Accounting Office\n      has identified several high-risk areas in DoD. This report provides coverage of\n      the Information Security high-risk area.\n\nPrior Coverage\n      During the last 5 years, the GAO has issued three reports discussing SSNs.\n      Unrestricted GAO reports can be accessed over the Internet at\n      http://www.gao.gov.\n\nGAO\n      GAO-02-766, \xe2\x80\x9cGreater Awareness and Use of Existing Data are Needed,\xe2\x80\x9d\n      June 28, 2002\n\n      GAO-02-352, \xe2\x80\x9cGovernment Benefits from SSN Use But Could Provide Better\n      Safeguards,\xe2\x80\x9d May 31, 2002\n\n      GAO-99-28, \xe2\x80\x9cGovernment and Commercial Use of the Social Security Number is\n      Widespread,\xe2\x80\x9d February 16, 1999\n\n\n\n                                          11\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command Control, Communications and Intelligence)\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Army and Air Force Exchange Service\nDirector, Defense Manpower Data Center\nDirector, Defense Security Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\n\n\n\n                                          12\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\nHouse Subcommittee on Ways and Means on Social Security\n\n\n\n\n                                       13\n\x0cDepartment of Defense Manpower Data Center\nComments\n\n\n\n\n                    14\n\x0c15\n\x0cDepartments of the Army and Air Force\nExchange Service Comments\n\n\n\n\n                    16\n\x0cDefense Security Service Comments\n\n\n\n\n                    17\n\x0c18\n\x0c19\n\x0cTeam Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary L. Ugone\nBruce A. Burton\nThomas S. Bartoszek\nLisa E. Novis\nThomas J. Hilliard\nRobin G. McCoy\nThelma E. Jackson\nPatrice A. Cousins\nMandi L. Markwart\nConstance E. Wojtek\nJennifer L. Jezewski\nJenshel D. Marshall\nJacqueline N. Pugh\n\x0c'